From c5f06674face995f4255fa799a5a04dfb90a09bb Mon Sep 17 00:00:00 2001
From: phpnut <phpnut@cakephp.org>
Date: Wed, 2 Apr 2008 06:08:55 +0000
Subject: [PATCH] "Fixes #4394, SecurityComponent::!__validatePost fails on
 hasMany multi-record form. "

git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@6618 3807eeeb-6ff5-0310-8944-8be069107fe0
---
 cake/libs/controller/components/security.php  | 10 +++++--
 .../controller/components/security.test.php   | 28 +++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/cake/libs/controller/components/security.php b/cake/libs/controller/components/security.php
index f50ecf5db..3c17bb259 100644
--- a/cake/libs/controller/components/security.php
+++ b/cake/libs/controller/components/security.php
@@ -564,11 +564,17 @@ class SecurityComponent extends Object {
 					unset($controller->data[$key]);
 					continue;
 				}
+				$keys = array_keys($value);
 
 				if (isset($field[$key])) {
-					$field[$key] = array_merge($field[$key], array_keys($value));
+					$field[$key] = array_merge($field[$key], $keys);
+				} elseif (is_numeric($keys[0])) {
+					foreach ($value as $fields) {
+						$merge[] = array_keys($fields);
+					}
+					$field[$key] = $merge;
 				} else {
-					$field[$key] = array_keys($value);
+					$field[$key] = $keys;
 				}
 			}
 
diff --git a/cake/tests/cases/libs/controller/components/security.test.php b/cake/tests/cases/libs/controller/components/security.test.php
index c15b881f6..b7b14a986 100644
--- a/cake/tests/cases/libs/controller/components/security.test.php
+++ b/cake/tests/cases/libs/controller/components/security.test.php
@@ -161,6 +161,34 @@ class SecurityComponentTest extends CakeTestCase {
 		$this->assertTrue($result);
 	}
 
+	function testValidateHasManyModel() {
+	  $this->Controller->Security->startup($this->Controller);
+		$key = $this->Controller->params['_Token']['key'];
+
+		$data['Model'][0]['username'] = '';
+		$data['Model'][0]['password'] = '';
+		$data['Model'][1]['username'] = '';
+		$data['Model'][1]['password'] = '';
+		$data['__Token']['key'] = $key;
+
+		$fields = array(
+		  'Model' => array(
+		    0 => array('username', 'password'),
+		    1 => array('username', 'password'),
+		  ),
+		  '__Token' => array('key' => $key)
+		);
+
+		$fields = $this->__sortFields($fields);
+
+		$fields = urlencode(Security::hash(serialize($fields) . Configure::read('Security.salt')));
+		$data['__Token']['fields'] = $fields;
+
+		$this->Controller->data = $data;
+		$result = $this->Controller->Security->__validatePost($this->Controller);
+		$this->assertTrue($result);
+  }
+
 	function __sortFields($fields) {
 		foreach ($fields as $key => $value) {
 			if(strpos($key, '_') !== 0) {